search cancel

Spring4Shell Vulnerabilities: CVE-2022-22963 CVE-2022-22965 - Software Change Manager

book

Article ID: 238600

calendar_today

Updated On:

Products

CA Harvest Software Change Manager CA Harvest Software Change Manager - OpenMake Meister

Issue/Introduction

Two CVE’s for New Spring4Shell Zero-Day Vulnerability:

- CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression

https://tanzu.vmware.com/security/cve-2022-22963

 - CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+

https://tanzu.vmware.com/security/cve-2022-22965

 

Is Software Change Manager (Harvest) vulnerable?

Yes.

Environment

CA Harvest Software Change Manager versions 13.0.4,14.0.0,14.0.2

Impacted Components:

Rest API, SCM Mobile

NOTE: If you are not using the Rest API or the Mobile interface of Harvest , this fix will not be applicable and you remain unimpacted with this vulnerability

Resolution

1. Workaround:

If you are using Adopt OpenJDK 11, you would need to downgrade to Adopt OpenJDK 8 as a temporary work around.

2. Fix Details

If you are continuing using Adopt OpenJDK 11, a fix is also available to address the vulnerability.

For more details about the available fixes on the specific release, refer to the table below 

Sl.No

Release

Fix Details and Support page links

1

14.0.2

https://support.broadcom.com/web/ecx/solutiondetails?aparNo=99111467&os=WINDOWS-ALL

2

14.0.0

https://support.broadcom.com/web/ecx/solutiondetails?aparNo=99111471&os=WINDOWS-ALL

3

13.0.4

https://support.broadcom.com/web/ecx/solutiondetails?aparNo=99111472&os=WINDOWS-ALL

 

Additional Information

If you have further questions, raise a support ticket with Broadcom